arisa 2.3.26 → 2.3.27

package/bin/arisa.js

@@ -416,14 +416,15 @@ function arisaUserExists() {
 }
 
 function isArisaUserProvisioned() {
-  return arisaUserExists() && existsSync("/home/arisa/.bun/bin/bun");
+  return arisaUserExists();
 }
 
 function step(ok, msg) {
   process.stdout.write(`  ${ok ? "\u2713" : "\u2717"} ${msg}\n`);
 }
 
-const ARISA_BUN_ENV = 'export BUN_INSTALL=/home/arisa/.bun && export PATH=/home/arisa/.bun/bin:$PATH';
+const ROOT_BUN_INSTALL = process.env.BUN_INSTALL || join(homeDir, ".bun");
+const ARISA_BUN_ENV = `export BUN_INSTALL=${ROOT_BUN_INSTALL} && export PATH=${ROOT_BUN_INSTALL}/bin:$PATH`;
 
 function provisionArisaUser() {
   process.stdout.write("Creating user 'arisa' for Claude/Codex CLI execution...\n");
@@ -445,21 +446,20 @@ function provisionArisaUser() {
     step(false, `Sudo setup skipped: ${e.message || e}`);
   }
 
-  // 3. Install bun for arisa (curl — lightweight, no bun child process)
-  process.stdout.write("  Installing bun for arisa (this may take a minute)...\n");
-  const bunInstall = spawnSync("su", ["-", "arisa", "-c", "curl -fsSL https://bun.sh/install | bash"], {
-    stdio: "inherit",
-    timeout: 180_000,
-  });
-  if (bunInstall.status !== 0) {
-    step(false, "Failed to install bun");
-    process.exit(1);
-  }
-  step(true, "Bun installed for arisa");
+  // 3. Give arisa access to root's bun (no separate install needed)
+  grantBunAccess();
+  step(true, "Access to root's bun granted");
 
   process.stdout.write("  Done. Core will run as arisa; Claude/Codex calls are direct.\n\n");
 }
 
+function grantBunAccess() {
+  // Allow arisa to traverse into /root (execute only, not read)
+  spawnSync("chmod", ["o+x", homeDir], { stdio: "ignore" });
+  // Allow arisa to read+execute root's bun and globally installed CLIs
+  spawnSync("chmod", ["-R", "o+rX", ROOT_BUN_INSTALL], { stdio: "ignore" });
+}
+
 // Provision arisa user if running as root and not yet done
 if (isRoot() && !isArisaUserProvisioned()) {
   provisionArisaUser();
@@ -468,6 +468,8 @@ if (isRoot() && !isArisaUserProvisioned()) {
 // When root + arisa exists: route all runtime data through arisa's home
 // so Core (running as arisa) and Daemon (root) share the same data dir.
 if (isRoot() && arisaUserExists()) {
+  // Ensure arisa can access root's bun on every startup
+  grantBunAccess();
   const arisaDataDir = "/home/arisa/.arisa";
   const rootDataDir = join("/root", ".arisa");
 
@@ -538,7 +540,7 @@ switch (command) {
     // preserves parent env (ARISA_DATA_DIR, tokens, API keys).
     let child;
     if (isRoot() && arisaUserExists()) {
-      const bunEnv = "export HOME=/home/arisa && export BUN_INSTALL=/home/arisa/.bun && export PATH=/home/arisa/.bun/bin:$PATH";
+      const bunEnv = `export HOME=/home/arisa && ${ARISA_BUN_ENV}`;
       const cmd = `${bunEnv} && cd ${pkgRoot} && exec bun --watch ${daemonEntry}`;
       child = spawnSync("su", ["arisa", "-s", "/bin/bash", "-c", cmd], {
         stdio: "inherit",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "arisa",
-  "version": "2.3.26",
+  "version": "2.3.27",
   "description": "Arisa - dynamic agent runtime with daemon/core architecture that evolves through user interaction",
   "keywords": [
     "tinyclaw",
@@ -52,4 +52,4 @@
     "@types/bun": "latest",
     "@types/crypto-js": "^4.2.2"
   }
-}
+}

package/src/daemon/auto-install.ts

@@ -19,7 +19,6 @@ const CLI_PACKAGES: Record<AgentCliName, string> = {
   codex: "@openai/codex",
 };
 
-const ARISA_BUN_ENV = 'export BUN_INSTALL=/home/arisa/.bun && export PATH=/home/arisa/.bun/bin:$PATH';
 const INSTALL_TIMEOUT = 120_000; // 2min
 
 type NotifyFn = (text: string) => Promise<void>;
@@ -34,10 +33,8 @@ async function installCli(cli: AgentCliName): Promise<boolean> {
   log.info(`Auto-install: installing ${cli} (${pkg})...`);
 
   try {
-    // When running as root, install into arisa user's bun (consistent with setup.ts)
-    const cmd = isRunningAsRoot()
-      ? ["su", "-", "arisa", "-c", `${ARISA_BUN_ENV} && bun add -g ${pkg}`]
-      : ["bun", "add", "-g", pkg];
+    // Install into root's bun (arisa has read+execute access)
+    const cmd = ["bun", "add", "-g", pkg];
 
     const proc = Bun.spawn(cmd, {
       stdout: "pipe",

package/src/daemon/lifecycle.ts

@@ -131,7 +131,8 @@ export function startCore() {
     // (encryption keys, DB, PID files, etc.) before Core reads them.
     spawnSync("chown", ["-R", "arisa:arisa", config.arisaDir], { stdio: "ignore" });
 
-    const bunEnv = "export HOME=/home/arisa && export BUN_INSTALL=/home/arisa/.bun && export PATH=/home/arisa/.bun/bin:$PATH";
+    const bunInstall = process.env.BUN_INSTALL || "/root/.bun";
+    const bunEnv = `export HOME=/home/arisa && export BUN_INSTALL=${bunInstall} && export PATH=${bunInstall}/bin:$PATH`;
     const inner = `${bunEnv} && cd ${config.projectDir} && exec bun --watch ${coreEntry}`;
     cmd = ["su", "arisa", "-s", "/bin/bash", "-c", inner];
     log.info(`Starting Core as arisa: bun --watch ${coreEntry}`);

package/src/daemon/setup.ts

@@ -230,9 +230,8 @@ async function setupClis(inq: typeof import("@inquirer/prompts") | null, vars: R
 
 async function installCli(cli: AgentCliName): Promise<boolean> {
   try {
-    const cmd = isRunningAsRoot()
-      ? ["su", "-", "arisa", "-c", `export BUN_INSTALL=/home/arisa/.bun && export PATH=/home/arisa/.bun/bin:$PATH && bun add -g ${CLI_PACKAGES[cli]}`]
-      : ["bun", "add", "-g", CLI_PACKAGES[cli]];
+    // Install into root's bun (arisa has read+execute access)
+    const cmd = ["bun", "add", "-g", CLI_PACKAGES[cli]];
     const proc = Bun.spawn(cmd, {
       stdout: "inherit",
       stderr: "inherit",

package/src/shared/ai-cli.ts

@@ -10,9 +10,11 @@ import { delimiter, dirname, join } from "path";
 
 export type AgentCliName = "claude" | "codex";
 
-const ARISA_USER_BUN = "/home/arisa/.bun/bin";
 const ARISA_HOME = "/home/arisa";
-const ARISA_BUN_ENV = `export HOME=${ARISA_HOME} && export BUN_INSTALL=${ARISA_HOME}/.bun && export PATH=${ARISA_USER_BUN}:$PATH`;
+// Use root's bun — arisa user has traverse+read access via chmod o+x /root, o+rX /root/.bun
+const ROOT_BUN_INSTALL = process.env.BUN_INSTALL || "/root/.bun";
+const ROOT_BUN_BIN = `${ROOT_BUN_INSTALL}/bin`;
+const ARISA_BUN_ENV = `export HOME=${ARISA_HOME} && export BUN_INSTALL=${ROOT_BUN_INSTALL} && export PATH=${ROOT_BUN_BIN}:$PATH`;
 
 export function isRunningAsRoot(): boolean {
   return process.getuid?.() === 0;
@@ -43,7 +45,7 @@ function candidatePaths(cli: AgentCliName): string[] {
     // When root, CLIs are installed under arisa user's bun
     return unique([
       cliOverrideEnvVar(cli),
-      join(ARISA_USER_BUN, cli),
+      join(ROOT_BUN_BIN, cli),
     ]);
   }
 
@@ -98,7 +100,7 @@ export function buildBunWrappedAgentCliCommand(cli: AgentCliName, args: string[]
   if (isRunningAsRoot()) {
     // Run as arisa user — Claude CLI refuses to run as root.
     // This path is used by Daemon fallback calls; Core runs as arisa directly.
-    const cliPath = resolveAgentCliPath(cli) || join(ARISA_USER_BUN, cli);
+    const cliPath = resolveAgentCliPath(cli) || join(ROOT_BUN_BIN, cli);
     const inner = ["bun", "--bun", INK_SHIM, cliPath, ...args].map(shellEscape).join(" ");
     // su without "-" preserves parent env (tokens, keys); explicit HOME/PATH for arisa
     return ["su", "arisa", "-s", "/bin/bash", "-c", `${ARISA_BUN_ENV} && ${buildEnvExports()}${inner}`];